Ok Devs-
(ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).
I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.
I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.
I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.
The best part is that you can run stacked commands on those install scripts. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs
I have been struggling to get it it to execute, presumably, I don't know anything about win CE.
I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.
This is what my path is listed on my autoinstall.1st file -
Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe
the cab is required as it is signed by microsoft and bypasses the lock to load additional code.
Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.
Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.
SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?
If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.
Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.
I have also attached the sync app developer guide link. With programming commands for apps.
https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf
Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf
UPDATE: 04/19/2015 -
While it is not a software hack, IT IS possible to unlock the navigation only portion of the MFT 8", if you have it without nav.
IF YOU DO THIS, YOUR CAR WARRANTY IS VOID. You've been warned.
It will cost a little money, but not set you back $1000 like nav tv and lockpick are charging. Maybe $100 or so.
Here is what you need to do, if you can't wait for us to unlock the bootloader.....
1 - Get a used APIM only part with the numbers DS7T in it. (aluminum only part with the fins, you DO NOT need the screen)
2 - Get the VIN# of the car it came out of and check the VIN to see if it was enabled with factory NAV. There are internet sites that will check the VIN for you. Must be a unit with NAV enabled.
http://researchmaniacs.com/VIN-Number-Lookup/WindowSticker/Ford.html
3. Install the APIM only to the back of your LCD.
4. The system will reboot and reset.
5. The system will them ask you to insert the NAV sd card, do that. (obviously, you have to buy a nav card from ebay as well, but those are $10)
6. Enjoy factory NAV for about $100
This is the only workaround for now. THE APIM is separate from the sync system and only interfaces with it. So, you will retain all your OEM VIN# locked stuff and it will survive reboots and updates. The nac actually just unlocks on that APIM portion, believe it or not. This method doesn't tie into the file system software, it merely accesses it.
Now.... if someone would be so kind as to just rip the NAND chip from one of those units and post it, so that we can just flash over our existing equipment, we can do this for FREE!!!!!!
Still working on the video bypass.... It would be nice if our Russian friends can start chiming in for that one please.....
DON"T FALL FOR THE EBAY GUY CHARGING $600 to $700 for this. Let's put him out of business.... Your help is needed.
PROPS TO rahrena8690 for the find.
WORKING FILE LINKS - FOR DEVELOPERS ONLY
Delayed Reboot project
https://mega.co.nz/#!m0BEWSrA!qrdgIRYTvccH52794ktdpRfrulI_pSdY3g-iiCyhaFs
awesome work
kthejoker20 said:
Ok Devs-
(ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).
I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.
I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.
I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.
The best part is that you can run stacked commands on those install scripts. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs
I have been struggling to get it it to execute, presumably, I don't know anything about win CE.
I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.
This is what my path is listed on my autoinstall.1st file -
Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe
the cab is required as it is signed by microsoft and bypasses the lock to load additional code.
Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.
Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.
SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?
If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.
Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.
I have also attached the sync app developer guide link. With programming commands for apps.
https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf
Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf
Click to expand...
Click to collapse
I have been wanting to get into this system since the day I got my truck. All ford has succeeded in doing is piss me off with "updates" that didn't amount to much. I would be happy if they would at least allow applink on the touch systems, as that would at least give us some options to add our own work.
I would love to help, but don't have much experience with "rooting", Windows CE, etc. But looking at what you have so far, I will offer some thoughts that came to mind:
It seems to me that you are working at the bootloader level, not the OS level. I may be way off here, but this could be why cmd won't work, as the OS is not loaded, so a traditional shell is not yet possible.
If you are indeed at the OS level, I wonder since you didn't get any errors when trying to launch cmd, if it was indeed actually running. I know on windows systems, if you manage to launch a process as "system", you typically can't interact with it (security issue). I don't know CE at all, but wonder if PsExec would work if it is launching your exe, but as system...
If it is executing your exe as system, perhaps a script or small app that writes some info about the system to a file on the usb drive would help. IE, have it list the folder structure for example.
I know we are not alone on people wanting to work on this. It looks to me that with Sync 3 dumping MSFT, we may be left in the dust with no further updates, although, this guy has found some signs that it might still get some useful updates:
http://www.reddit.com/r/Ford/comments/2rf2cc/ford_may_announce_updates_to_sync_gen2_myford/
Thanks
kthejoker20 said:
Ok Devs-
(ALSO sync owners, don't update your sync systems anymore by ford, we are getting close to unlock it, and they will put out updates to bork our hack).
I need some help please. I need to modify this POS sync. You can't do anything with it. I want to get navigation running or bluestacks to run android.
I got the official ford , usb reboot file I have attached it here. It has the signed files that we need.
I was able to tigger the install event with those files. And I believe this is our key to Jailbreak the system.
The best part is that you can run stacked commands on those install scripts. https://www.coalfire.com/The-Coalfire-Blog/October-2014-(1)/Reverse-Shells-and-Your-Car?feed=blogs
I have been struggling to get it it to execute, presumably, I don't know anything about win CE.
I have the win CE cmd.exe on my usb. Place it into the system, it recognizes and initiates upload. What the code below is trying to do is piggy back on the copy via stacked code to upload cmd.exe to the system then execute it. UNless there is another way to get a shell, once we get the shell, WE OWN THEM.
This is what my path is listed on my autoinstall.1st file -
Open1 = DelayedReboot.cab; cmd.exe \tmp\cmd.exe; \tmp\cmd.exe
the cab is required as it is signed by microsoft and bypasses the lock to load additional code.
Changing the semi colon to & makes it error out, so the semi colon is correct, just dunno if I have the paths right. Normally, it would be something like for linux /fs/usb0/etc...... but I am not sure about CE lists the usb device path...again I am win CE retarded. UNless there is a way to % to the paths, but I dunno much about win.
Sync, recognizes and executes with no errors. If I change my code a little, it will not work and say error.
SO what am I missing to get the cmd to run? Or is it already? I was expecting a shell to pop up?
If someone can point me in the right direction, or to point what file I can call to execute the onboard navigation, that would be awesome as well.
Even if we can't get a shell, I'd like to be able to execute a file, then I can run MIOpocket on this thing and ditch sync for android apps.
I have also attached the sync app developer guide link. With programming commands for apps.
https://developer.ford.com/uploads/DevConf%20-%20Track%205%20-%20Best%20Practices.pdf
Here is a link to the windows 7 automotive guide on how the system operates, kernel info, driver info, and stuff.
http://download.microsoft.com/download/0/A/1/0A1E07D6-7562-4566-AACF-E04DF4FF8879/A%20Technical%20Companion%20to%20Windows%20Embedded%20Automotive%207%20(final).pdf
Click to expand...
Click to collapse
Thanks Pro. any new updates. Actually i just purchase Lincoln MKZ 2014, although i know it is hardware capable to run navigation since i get latitude and longitude, but unfortunately no navigation from the factory. i just play with My Lincoln Touch and on the sittings there is a tab for installing apps. so can we install and windows CE app?
Nothing yet.
Sync updates are rolled out every 6 months.
Rumor was that we are all getting blackberry upgrade from Microsoft.
Update is expected Feb 2015 or so.
We are sitting on the sidelines waiting to see what Ford will do, before we start porting over. There may be no need for our work if we get port link to the new system. I think Ford is on our side, as they don't want us open sourcing the system and have to deal with warranty claims.
kthejoker20 said:
Nothing yet.
Sync updates are rolled out every 6 months.
Rumor was that we are all getting blackberry upgrade from Microsoft.
Update is expected Feb 2015 or so.
We are sitting on the sidelines waiting to see what Ford will do, before we start porting over. There may be no need for our work if we get port link to the new system. I think Ford is on our side, as they don't want us open sourcing the system and have to deal with warranty claims.
Click to expand...
Click to collapse
i don't think so. we will not get the QNX update. I think it is a different system with different architecture and requirements. but i hope they unlock the FMT or LMT so we can install any windows ce app.
Please don't reply to this thread with comments or requests.
I'd like to keep it clean to only development comments.
Based on what I'm reading around the page 26 mark (bootloaders section of the windows embedded 7 pdf), it sounds like we need to attempt to give the IPL boot arguments to get into update or development mode and from there we could have a chance of pushing our own files. I would think update mode looks for a signature but dev mode might let anything in.
Way ahead if you. The attached file has the signature. I was able to successfully run stacked commands by modifying the attached reboot file. Problem, the command doesn't stick on reboot.
kthejoker20 said:
Way ahead if you. The attached file has the signature. I was able to successfully run stacked commands by modifying the attached reboot file. Problem, the command doesn't stick on reboot.
Click to expand...
Click to collapse
So you were able to launch a command prompt via the delayed reboot zip? I wonder if it would be possible to hack a sync update and then use this to push it.
I need a zip please... I can induce an update no command prompt yet
I can only run commands stacked, but I need to run a script on the sync side, but I can't figure out how to push the script to the sync
kthejoker20 said:
I need a zip please... I can induce an update no command prompt yet
I can only run commands stacked, but I need to run a script on the sync side, but I can't figure out how to push the script to the sync
Click to expand...
Click to collapse
This the latest myford touch update Gen2-V3.7.11
http://www.mediafire.com/?79v3d0d8972sy44
Here is the Delayed Reboot zip
http://outofmytouch.com/assets/delayed_reboot.zip
So some very quick looking tonight and I found EA5T-14D546-ATD contains the master patch. Decompiling some of the shockwave files I have found some interesting code. These would most likely be the files to hack to change factory behavior. Getting them flashed to a vehicle might be a whole other issue though.
Edit: After more browsing I think we need to target a master patch for an older version of Sync. I was looking at the master patch for the most current so there are going to be less files patched. I will have a peek at those later.
For some reason, the coalfire site took down it's information regarding the reverse shell of the infotainment system.
Here is what I am talking about with the command on the delayed reboot file. I have conveniently located the stacked command image and attached it for your viewing pleasure.
If we can patch the files, this is how we push them to the chip. Otherwise, I may have to PHYSICALLY pull the system files through JTAG tap... sigh... not really wanting to do that though...
If we can push them, we would have to unlock the bootloader to bypass the sigs... This is where my brain is staring to hurt....
Obviously, these commands do not apply to what we are doing, as that is QNX. Plus, I don't want any noobs spunking their system with our fashizzle yet...until we test it.
Just a final thought, as a plan B, we could reverse shell with the USB exploit as well... just saying.. might be easier
An integer overflow might work as well, but I have never experiemented on an embedded chip. Stacked command invoking an integer overflow, might give us write access to the system.
Has any thought gone into rewriting one of the dll's included in the latest patch to include some sort of backdoor? It seems it'd be easy (maybe I'm missing something here) to just modify the latest patch's install files to install our new dll.
I haven't had time yet, but I am going to try to USB otg pull.... I'm sure I can probably at least disable the vss lock.
kthejoker20 said:
I haven't had time yet, but I am going to try to USB otg pull.... I'm sure I can probably at least disable the vss lock.
Click to expand...
Click to collapse
When you tried running the cmd prompt with the stacked command approach did get any indications of the program running? I was thinking about adding some arguments to the end of the command to write a random file to the root of an available drive (like you said, who knows how the thumb drive is recognized).
Also, what type of processor does the system run on?
---------- Post added at 11:51 PM ---------- Previous post was at 11:30 PM ----------
duckboy81 said:
When you tried running the cmd prompt with the stacked command approach did get any indications of the program running? I was thinking about adding some arguments to the end of the command to write a random file to the root of an available drive (like you said, who knows how the thumb drive is recognized).
Also, what type of processor does the system run on?
Click to expand...
Click to collapse
I think I answered one of the questions. From the PDF you posted "A Technical Companion..." it's a Freescale IMX35 processor.
freescale.com/webapp/sps/site/taxonomy.jsp?code=IMX35_FAMILY&cof=0&am=0
Looking forward to following the progress of this thread! I hope that you all will discover a new solution to our these outdated systems! Good luck guys, I am rooting for you!
duckboy81 said:
When you tried running the cmd prompt with the stacked command approach did get any indications of the program running? I was thinking about adding some arguments to the end of the command to write a random file to the root of an available drive (like you said, who knows how the thumb drive is recognized).
Also, what type of processor does the system run on?
---------- Post added at 11:51 PM ---------- Previous post was at 11:30 PM ----------
I think I answered one of the questions. From the PDF you posted "A Technical Companion..." it's a Freescale IMX35 processor.
freescale.com/webapp/sps/site/taxonomy.jsp?code=IMX35_FAMILY&cof=0&am=0
Click to expand...
Click to collapse
Actually I am pretty sure the MyFord Touch processor is an I.MX51 acccording to a Ford PDF I found. Unfortunately I am new to posting here and it won't let me post links.
I work on the almost identical I.MX53 processor at work doing Linux kernel, u-boot boot loader, and Linux application software, so I might be able to help.
Most of the I.MX processors have built in ROM code that allows booting to a USB or Serial downloaded mode. This allows loading any software you want into any RAM address and then booting from it. Then you run completely out of RAM (like a live CD). Depending on how Ford setup the I.MX51 e-fuse settings, there may be an external pin that could be used to enter this serial downloaded mode. Freescale provides a tool called the MfgTool to load software using the serial download mode. Then you could load Linux, Android, or whatever. The e-fuses also allow you to lock out JTAG, serial downloaded mode, and enable boot time signature checking, but I am not sure if Ford used any of these to lock the system down.
Do we know where the processor is located in the fusion?
I am proud to announce the immediate availability of Windows Phone Internals 1.0. This tool allows you to unlock the bootloader of selected Lumia Windows Phone models. After unlocking the bootloader, you can enable Root Access on the phone or create and flash Custom ROM's. I created two video's to demonstrate the features of the tool.
Root Access allows you to load your own homebrew software onto the phone with high privileges. Apps can escape from their sandboxes. The tool can also create backup-images of the phone and access the file-system in Mass Storage mode. The tool supports most versions of Windows Phone 8.1 and Windows 10 Mobile. For a complete list of supported phones and Operating Systems have a look at the Getting Started section of the tool.
The download package also contains an SDK, which helps you to easily access the filesystem and registry on the phone from your own homebrew app.
The tool, SDK and video's are available on my new website:
www.wpinternals.net
Update december 23rd:
Windows Phone Internals version 1.1 is released. It has a fix for the audio-issue when Root Access is enabled and it supports Root Access on the latest Windows 10 Mobile build 10.0.10586.36. You can find the new version of the tool in the Download section on wpinternals.net
It seems there were extra integrity checks for playing media. I fixed this for audio-playback. I will create a generic fix later, but this will work for now. If you already have Root Access and you experience the Audio-issue, just "Enable Root Access" again on the phone.
Update december 29th:
A small update this time. Changes in this version:
Compatibility improvement for Windows 7. In previous versions "Enable Root Access" could result in "Failed to enable Root Access on MainOS".
"Restore bootloader" now uses a different Flashing interface. Previously, when you restored the bootloader, you were forced to do a full flash afterwards. With this new method you can keep your current Windows Phone installation. Remember that you need to disable Root Access before you restore the bootloader.
Many small fixes and tweaks.
FAQ
If your question is not answered here, please watch my instruction video's and read the "Getting started" section in my tool. I spent a lot of time to explain everything. If you have more questions, they are probably already answered there.
Can we run Android on Lumia now?
Why people ask this is beyond me. If you want Android, buy an Android phone. If you still want it, it will be a big challenge. You can remove UEFI, EFIESP, MainOS and Data partitions and then add hboot and other Android partitions. But then you would still need Android drivers for the Lumia components.
Which Lumia's are supported by the tool?
Lumia 520, 521, 525, 620, 625, 720, 820, 920, 925, 928, 1020 and 1320 are supported. These bootloaders can be unlocked.
Which OS versions are supported?
For these OS versions Root Access can be enabled. To enable Root Access, the bootloader must be unlocked first.
8.10.12393.890
8.10.12397.895
8.10.14219.341
8.10.14226.359
8.10.14234.375
8.10.15116.125
8.10.15148.160
10.0.10512.1000
10.0.10536.1004
10.0.10549.4
10.0.10581.0
10.0.10586.11
10.0.10586.36
I will add support for new versions when they get released.
Why are other Lumia's not supported?
Other Lumia's have different CPU architectures. And these come with different bootloaders. Some of my hacks depend on the implementation of these bootloaders. Some of my hacks won't work on different bootloaders. I need to find new hacks for these bootloaders. I will try that, but I can't predict when that is ready. The tool has implemented all the basics. So adding new hacks will be easier.
Why are other brands not supported?
Same reason. Some hacks work different. I will try to add support for other brands. But I don't know when it is ready.
I need Emergency Flash Loaders. Where can I get them?
This search should yield relevant results:
https://www.google.com/search?q=%22lumia%22+%22emergency%22+%22hex%22
I need an Engineering SBL3. Where can I get it?
This search should yield relevant results:
https://www.google.com/search?q=%22engineering+sbl3s%22
You can download a full Engineering ROM or a separate SBL3 file. If you select an FFU file in the tool, the tool will extract the SBL3 from the FFU. SBL3 contains hardware-profiles of the phone and it initializes the hardware. Therefore you should only use an alternative SBL3 if it came from a phone that is at least the same brand and CPU architecture as your phone.
I can't find a matching Engineering SBL3. Can I still unlock my phone?
Yes. The alternative SBL3 is optional. You can still unlock your bootloader and flash Custom ROM's. But you will not have Mass Storage Mode. So you won't be able to enable Root Access directly on the phone or make a full backup-image of the phone. But you can still flash Custom ROM's and enable Root Access on the Custom ROM's. Use the second method from my "Unlock" video.
I unlocked my phone and now my audio is gone. Why?
This is an issue with Root Access in Windows Phone Internals 1.0. Update to Windows Phone Internals 1.1 and then choose "Enable Root Access" again.
Can I SIM-unlock my phone with this tool?
No. SIM-unlock is illegal in some countries. I don't support SIM-unlock.
Reserved (2)
* Reserved **
Great job @Heathcliff74! The king is back!
Simply amazing! Made a donation to honour your work! Hope other devs use this to push the bounderies of the os!
@Heathcliff74 THX, you are amazing :good: I'll be waiting for support other models (eg X3X series).
Awesome stuff, can't wait to see the potential fruits of this development! Thanks @Heathcliff74
Is possibile to change Lumia PRODUCT CODE too?
Thanks
super big news
Thank you very much my friend
good job but where the find flashing loder .i have ffu of my phone..
is it possible to unlock bootloader in windows 10 mobile.?? i have lumia 525 which is supported but i don't have ffu for windows 10 mobile..if i flash my phone with wp8 ffu ,the is it possible to update my phone to w10 mobile.??need a reply..
A AJAY said:
good job but where the find flashing loder .i have ffu of my phone..
Click to expand...
Click to collapse
Riyad_ said:
is it possible to unlock bootloader in windows 10 mobile.?? i have lumia 525 which is supported but i don't have ffu for windows 10 mobile..if i flash my phone with wp8 ffu ,the is it possible to update my phone to w10 mobile.??need a reply..
Click to expand...
Click to collapse
Download the tool, go to the "Getting started" and read thoroughly. These questions are answered there.
@Riyad_ , the short answer is: Yes, it is possible to update and to Windows 10 Mobile and unlock it. Follow the instructions.
@Riyad_ , the short answer is: Yes, it is possible to update and to Windows 10 Mobile and unlock it. Follow the instructions.[/QUOTE]
ya found my answer. but i have another question. im in now w10m build 10586.if i unlock bootloader then i update my phone to new w10m build(after release) ,the bootloader unlock will remain or not.??
N.B. - in the app u said to disable auto update in phone that's why i m asking.thanks..
thanks heathcliff. great work. :good:
Very very nice Cliff
Error when trying to open the website
Parse error: syntax error, unexpected T_STRING in /home/deb56898n2/domains/wpinternals.net/public_html/templates/jsn_metro_free/template.defines.php on line 19
Click to expand...
Click to collapse
Would this make dualbooting Windows 10 Mobile and Android possible on Lumia ?
i think i found a "bug". i am using an lumia 1020 with the newest windows 10 mobile build. the lumia 1020 is at&t branded and sim unlocked, but your software says under phone - info that the sim is stock locked. also i dont think the bootloader unlock or the flash of a custom firmware will with an an branded phone or does it now ?
also, it isnt really important, but you should in your software under getting started maybe link the "windows device recovery tool" instead of the abandoned "lumia software recovery tool". anotherthing: windows startscreen gives me a warning if i start the programm as the publisher of the tool is unknown and chrome warns me too that the downloaded archive from your website could probably be a virus.
other than that: awesome. thanks
Finally! Thank you very much!
Does this mean Android on Lumia coming soon?